Otu esi egbochi ọnụọgụ njikọ (arịrịọ) na NGINX

Ụgbọ mmiri NGINX nwere modul dị iche iche iji kwe ka ndị ọrụ na-achịkwa okporo ụzọ na weebụsaịtị ha, ngwa weebụ, yana ihe ndị ọzọ dị na weebụ. Otu n'ime isi ihe kpatara ịmachi okporo ụzọ ma ọ bụ ịnweta bụ iji gbochie mmejọ ma ọ bụ mwakpo nke ụdị ụfọdụ dị ka mwakpo DoS (Denial of Service).

Enwere isi ụzọ atọ nke ịmachi ojiji ma ọ bụ okporo ụzọ na NGINX:

  1. Na-amachi ọnụ ọgụgụ njikọ (arịrịọ).
  2. Na-amachi ọnụ ahịa arịrịọ.
  3. Na-amachi bandwit.

Ihe njikwa okporo ụzọ NGINX dị n'elu na-abịaru nso, dabere na ikpe eji eme ihe nwere ike ịhazi ka amachi dabere na igodo akọwapụtara, nke a na-ahụkarị bụ adreesị IP nke onye ahịa. NGINX na-akwadokwa mgbanwe ndị ọzọ dị ka kuki nnọkọ na ọtụtụ ndị ọzọ.

N'akụkụ mbụ nke usoro akụkụ atọ anyị, anyị ga-atụle ka esi amachi ọnụ ọgụgụ njikọ dị na NGINX iji chekwaa weebụsaịtị/ngwa gị.

  • Otu esi amachita ọnụọgụ njikọ (arịrịọ) na NGINX – Nkebi nke 1
  • Otu esi ejedebe ọnụego njikọ (arịrịọ) na NGINX - Nkebi nke 2
  • Otu esi akwụsị ojiji bandwit na NGINX – Nkebi nke 3

Buru n'uche na NGINX ga-atụle njikọ maka njedebe naanị ma ọ bụrụ na ọ nwere arịrịọ nke ihe nkesa na-edozi ya ma agụọlarị isi akwụkwọ arịrịọ niile. Ya mere, ọ bụghị njikọ ndị ahịa niile ka a na-agụta.

Mmachi ọnụọgụ njikọ na NGINX

Nke mbụ, ịkwesịrị ịkọwa mpaghara ebe nchekwa nke na-echekwa metrik njikọ maka igodo dị iche iche, na-eji ntuziaka limit_conn_zone. Dịka e kwuru na mbụ, igodo nwere ike ịbụ ederede, mgbanwe dị ka adreesị IP nke onye ahịa, ma ọ bụ ngwakọta nke abụọ.

Ntuziaka a nke dị irè n'ime ọnọdụ HTTP na-ewe parampat abụọ: igodo na mpaghara (n'ụdị zone_name: size).

limit_conn_zone $binary_remote_addr zone=limitconnbyaddr:20m;

Ka ịtọọ koodu nzaghachi nke eweghachiri na arịrịọ jụrụ, jiri ntuziaka limit_conn_status nke na-ewe koodu ọkwa HTTP dịka oke. Ọ dị irè n'ime HTTP, ihe nkesa, na ọnọdụ ọnọdụ.

limit_conn_status 429;

Iji kpachie njikọ, jiri ntuziaka limint_conn ka ịtọọ mpaghara ebe nchekwa a ga-eji yana ọnụọgụ njikọ kacha anabata dị ka egosiri na snippet nhazi ndị a. Ntuziaka a bara uru n'ime HTTP, ihe nkesa na ọnọdụ ọnọdụ.

limit_conn   limitconnbyaddr  50;

Nke a bụ nhazi zuru oke:

upstream api_service {
    server 127.0.0.1:9051;
    server 10.1.1.77:9052;
}
limit_conn_zone $binary_remote_addr zone=limitconnbyaddr:20m;
limit_conn_status 429;

server {
    listen 80;
    server_name testapp.linux-console.net;
    root /var/www/html/testapp.linux-console.net/build;
    index index.html;

    limit_conn   limitconnbyaddr  50;

    #include snippets/error_pages.conf;
    proxy_read_timeout 600;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    location / {
        try_files $uri $uri/ /index.html =404 =403 =500;
    }
    location /api {
        proxy_pass http://api_service;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Chekwaa faịlụ ma mechie ya.

Wee lelee ma ọ bụrụ na nhazi NGINX dị mma site n'ịgba iwu na-esonụ:

$ sudo nginx -t

Na-esote, bugharịa ọrụ NGINX iji mee mgbanwe ndị na-adịbeghị anya:

$ sudo systemctl reload nginx

Na-elele oke njikọ Nginx

Mgbe onye ahịa gafere ọnụọgụ njikọ anabatara, NGINX na-eweghachite mperi \429 Ọtụtụ arịrịọ na onye ahịa wee debanye aha ntinye dịka nke dị n'okpuru na faịlụ ndekọ njehie:

2022/03/15 00:14:00 [error] 597443#0: *127 limiting connections by zone "limitconnbyaddr", client: x.x.x.x, server: testapp.tecmimt.com, request: "GET /static/css/main.63fdefff.chunk.css.map HTTP/1.1", host: "testapp.tecmimt.com"

Na-amachi ọnụọgụ Nginx njikọ na ngwa

Ị nwekwara ike ịmachi ọnụ ọgụgụ nke njikọ maka ihe nkesa nyere bụ site na iji $server_name variable:

upstream api_service {
    server 127.0.0.1:9051;
    server 10.1.1.77:9052;
}
limit_conn_zone $server_name zone=limitbyservers:10m;
limit_conn_status 429;

server {
    listen 80;
    server_name testapp.linux-console.net;
    root /var/www/html/testapp.linux-console.net/build;
    index index.html;

     limit_conn  limitbyservers  2000;

    #include snippets/error_pages.conf;
    proxy_read_timeout 600;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    location / {
        try_files $uri $uri/ /index.html =404 =403 =500;
    }
    location /api {
        proxy_pass http://api_service;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Nhazi a na-enyere NGINX aka ịmachi mkpokọta njikọ na sava mebere nke na-enye ike ngwa testapp.linux-console.net, na njikọ 2000.

Mara: Mmachi njikọ dabere na IP nke onye ahịa nwere ala. Ị nwere ike ịkwụsị igbochi njikọ maka ihe karịrị naanị otu onye ọrụ, karịsịa ma ọ bụrụ na ọtụtụ ndị ọrụ na-enweta ngwa gị nọ n'otu netwọkụ ma na-arụ ọrụ n'azụ NAT - njikọ ha niile ga-esi na otu adreesị IP.

N'ọnọdụ dị otú ahụ, ị nwere ike were otu ma ọ bụ karịa mgbanwe dị na NGINX nke nwere ike ịmata onye ahịa na ọkwa ngwa, ọmụmaatụ bụ kuki nnọkọ.

Ị nwekwara ike ịmasị akụkọ Nginx ndị a metụtara:

  • Otu esi emepụta ibe mperi omenala 404 na NGINX
  • Etu esi ejikwa nnweta dabere na adreesị IP onye ahịa na NGINX
  • Otu esi echekwa ọdịnaya na NGINX
  • Etu esi eme HTTP/2.0 na Nginx
  • Etu esi eji Nginx dị ka HTTP Load Balancer na Linux

Nke ahụ bụ maka ugbu a! N'akụkụ nke ọzọ nke usoro isiokwu a, anyị ga-atụle usoro nlekọta okporo ụzọ ọzọ bara uru na NGINX - na-amachi ọnụ ọgụgụ nke arịrịọ. Ruo mgbe ahụ, nọnyere anyị.